Getting an error about gpg key not matching

**======================================================================================================================================
Package Architecture Version Repository Size

Installing:
python3-psutil x86_64 5.7.2-2.el8 Default_Organization_Foreman_Client_3_10_EL8 420 k

Transaction Summary

Install 1 Package

Total download size: 420 k
Installed size: 2.1 M
Is this ok [y/N]: y
Downloading Packages:
python3-psutil-5.7.2-2.el8.x86_64.rpm 5.5 MB/s | 420 kB 00:00

Total 5.4 MB/s | 420 kB 00:00
3.10 EL8 40 kB/s | 3.1 kB 00:00
GPG key at https://foreman.domain.com/katello/api/v2/repositories/67/gpg_key_content (0x1AA043B8) is already installed
The GPG keys listed for the “3.10 EL8” repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository… Failing package is: python3-psutil-5.7.2-2.el8.x86_64
GPG Keys are configured as: https:/foreman.domain.com/katello/api/v2/repositories/67/gpg_key_content
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing ‘yum clean packages’.
Error: GPG check FAILED
:**

Expected it to work not sure how to go about fixing it:

Foreman 3.10.0 and Proxy versions:

Foreman 3.10.0 and Proxy plugin versions:

Distribution and version:

Other relevant data:

Hi,

did you just upgraded to new foreman verison?
Have you imported the new client repo and the new GPG Key for that Repo?

Please take a look in the repo, which GPG Key is used

you can fing the GPG Keys here
https://theforeman.org/security.html#GPGkeys

Hi,

did you just upgraded to new foreman verison? This is the first time I ever used foreman and this is a fresh install.

Have you imported the new client repo and the new GPG Key for that Repo?
I’m not sure how to import the new client repo. Also how do i get the new GPG Key for that repo?
Im not sure where to place it or where to do it.

Please take a look in the repo, which GPG Key is used
Thanks for the link but i’m not sure what to do with it. Could you clarify what I should do with the GPG key and where to place it? Thanks

you can fing the GPG Keys here
https://theforeman.org/security.html#GPGkeys

Hi @rubbertoe,

You might be interested in reading the documentation about how to add the necessary repos to Foreman, as well as how to register a host, this should also explain how to add GPG keys to a repo, so the client can automatically ask you to add it to your key-chain:

Import GPG Keys
Import Content
Register Hosts

The TLDR; is somewhat:
It looks to me as if you already added a Product with the Foreman Client repository in it (should be the 3.10 el8 x86_64 one), and attached that to your registered host. And it looks like you also already linked a GPG key to your client repository, though it seems you got the wrong GPG key, which makes it say, it’s already installed, but the packages in the repo are not trusted by that one.
The thing is, every new Release of Foreman gets its own new GPG key, and for 3.10 it’s the “Foreman Automatic Signing Key (3.10)”, on the page you already got linked to (Foreman :: Security), after you click the thumbprint in the left column of the table it will show you / let download you the key.

So you need to look at your repository of the Foreman Client, check what GPG key (also called Content Credential) you linked, go to this one (Content → Content Credentials), find it there and either replace the incorrect GPG key or create a new one and relink it to the new GPG key (relink as in change the property in the repo).

I will give you pictures from how it’s configured for me with 3.11, maybe this helps you:


And every time you change the client to a new repo version, you will also have to replace the GPG key because of that fact, that it got signed by a new one.
It’s also possible to add multiple keys to one Content Credential (only make sure there is a newline inbetween the 2 keys, like it’s in the GPG key import docs), that’s especially handy if you are using staging with content views, because the Content Credential will not be staged, it’s always the once configured globally.

If this was still too complicated, can you provide screenshots, or outputs from hammer, that show how it’s configured, then we can directly point you to what you need to do.

1 Like

Also on a side note, its just this particular package. I was able to install other packages just fine. Will what you recommend fix this issue for all?

Are you installing a specific package, and it tries to install python3-psutil as a dependency, or do you actively try to install that package?
Because if it’s a dependency, dnf works the way that it tells you for the 1st package and then just aborts, before it tries for the other once.
I just spun up a test-machine, python3-psutil is definitely signed with 0x93DD1D0C “Foreman Automatic Signing Key (3.10)”. (as well as the other packages in the repo)

Also I looked further into it, it seems to me as if you have the “Foreman Automatic Signing Key (2014)” GPG key in your Content Credential, which is linked to your client repo.

So yes, please check your linked Content Credential, I’m pretty sure it has the wrong GPG key in it :+1:

I’ll try and append the 3.10 gpg key with a new line and see if that works.

1 Like

It worked !

Thanks for the help I really appreciate it.

Great! You’re welcome!